Skip to content

Build and Release

Build and Release #25

Workflow file for this run

name: Build and Release
on: workflow_dispatch
defaults:
run:
# necessary for windows
shell: bash
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.7
- uses: actions-rust-lang/setup-rust-toolchain@v1
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Running examples
run: |
cargo run
prepare-release:
needs: test
runs-on: ubuntu-latest
outputs:
sha: ${{ steps.commit.outputs.sha }}
version: ${{ steps.store-version.outputs.version }}
steps:
- uses: actions/checkout@v4.1.7
name: Fetch entire history (for conventional commits)
with:
fetch-depth: 0
- name: Configure Git
run: |
git config --global user.name GitHub Actions
git config user.email github-actions@github.com
- name: Install Knope
uses: knope-dev/action@v2.1.0
with:
version: 0.18.0
- run: knope prepare-release --verbose
name: Update versioned files and changelog
- name: Store commit
id: commit
run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
- name: Store version
id: store-version
run: echo "version=$(knope get-version)" >> $GITHUB_OUTPUT
build-artifacts:
needs: prepare-release
strategy:
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
- target: aarch64-apple-darwin
os: macos-latest
- target: x86_64-pc-windows-msvc
os: windows-latest
runs-on: ${{ matrix.os }}
permissions:
contents: read
id-token: write
env:
archive_name: rhai-test
steps:
- uses: actions/checkout@v4
with:
ref: ${{ needs.prepare-release.outputs.sha }}
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
target: ${{ matrix.target }}
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Authenticate to GCP using Workload Identity Federation.
# We set up the WI provider in the `github_actions_federation` resource in the
# `platform-infrastructure` repository.
- id: google-auth
uses: "google-github-actions/auth@v2"
with:
workload_identity_provider: "projects/865738624352/locations/global/workloadIdentityPools/github-d8bck/providers/github-d8bck"
service_account: apollosolutions-rhai-test@platform-mgmt-service-e0izz.iam.gserviceaccount.com
project_id: platform-cross-environment
# Gets some secrets from Google Secret Manager.
- id: gsm-secrets
uses: "google-github-actions/get-secretmanager-secrets@v2"
with:
# The format of each line here is OUTPUTNAME:PROJECT/SECRET; you can
# read the secrets later in this file with
# `steps.gsm-secrets.outputs.OUTPUTNAME`. These secrets are created in
# the `argo` resource in the `domain-deployment` repository.
secrets: |-
MACOS_CERT_BUNDLE_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_PASSWORD
MACOS_CERT_BUNDLE_BASE64:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_BASE64
MACOS_NOTARIZATION_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_NOTARIZATION_PASSWORD
MACOS_KEYCHAIN_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_KEYCHAIN_PASSWORD
- name: Build
run: cargo build --release --target ${{ matrix.target }}
- name: Sign Apple Binary
if: ${{ matrix.os == 'macos-latest' }}
run: |
MACOS_CERT_BUNDLE_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_PASSWORD}}
MACOS_CERT_BUNDLE_BASE64=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_BASE64}}
MACOS_KEYCHAIN_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_KEYCHAIN_PASSWORD}}
MACOS_NOTARIZATION_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_NOTARIZATION_PASSWORD}}
APPLE_TEAM_ID="YQK948L752"
APPLE_USERNAME="opensource@apollographql.com"
echo "Pre-check: Valid Codesigning Identify"
security find-identity -v -p codesigning
echo "Pre-check: Codesigning Identify"
security find-identity -p codesigning
echo "Pre-check: Any Identify"
security find-identity
echo "|||||||||||||||||||||||||||||||||||||||||||||"
VERSION=${{ needs.prepare-release.outputs.version }}
BINARY_PATH=target/${{ matrix.target }}/release/${{ env.archive_name }}
ENTITLEMENTS_PATH="macos-entitlements.plist"
# Create a temporary keychain
KEYCHAIN_NAME="rhaitest-keychain"
mkdir $KEYCHAIN_NAME
echo "Creating keychain..."
security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
echo "Removing relock timeout on keychain..."
security set-keychain-settings $KEYCHAIN_NAME
echo "Decoding certificate bundle..."
echo "${MACOS_CERT_BUNDLE_BASE64}" | base64 --decode > $KEYCHAIN_NAME/certificate.p12
echo "Importing codesigning certificate to build keychain..."
security import $KEYCHAIN_NAME/certificate.p12 -k $KEYCHAIN_NAME -P "${MACOS_CERT_BUNDLE_PASSWORD}" -T /usr/bin/codesign
echo "Adding the codesign tool to the security partition-list..."
security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
echo "Setting default keychain..."
security default-keychain -d user -s $KEYCHAIN_NAME
echo "Unlocking keychain..."
security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
echo "Verifying keychain is set up correctly..."
security find-identity -v -p codesigning
echo "|||||||||||||||||||||||||||||||||||||||||||||"
echo "Post-check: Valid Codesigning Identify"
security find-identity -v -p codesigning
echo "Post-check: Codesigning Identify"
security find-identity -p codesigning
echo "Post-check: Any Identify"
security find-identity
echo "|||||||||||||||||||||||||||||||||||||||||||||"
# Sign the binary
echo "Signing code (step 1)..."
codesign --sign "$APPLE_TEAM_ID" --options runtime --entitlements $ENTITLEMENTS_PATH --force --timestamp "$BINARY_PATH" -v
echo "Signing code (step 2)..."
codesign -vvv --deep --strict "$BINARY_PATH"
echo "Zipping dist..."
mkdir "$KEYCHAIN_NAME/dist"
cp "$BINARY_PATH" "$KEYCHAIN_NAME/dist/rhaitest"
zip -r "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" "$KEYCHAIN_NAME/dist"
echo "Beginning notarization process..."
xcrun notarytool submit "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" --apple-id "$APPLE_USERNAME" --password "$MACOS_NOTARIZATION_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait --timeout 20m
- name: Create Archive Folder
run: mkdir ${{ env.archive_name }}
- name: Copy Unix Artifact
if: ${{ matrix.os != 'windows-latest' }}
run: cp target/${{ matrix.target }}/release/${{ env.archive_name }} ${{ env.archive_name }}
- name: Copy Windows Artifact
if: ${{ matrix.os == 'windows-latest' }}
run: cp target/${{ matrix.target }}/release/${{ env.archive_name }}.exe ${{ env.archive_name }}
- name: Create Tar Archive
run: tar -czf ${{ env.archive_name }}-${{ matrix.target }}.tgz ${{ env.archive_name }}
- name: Upload Artifact
uses: actions/upload-artifact@v4.4.0
with:
name: ${{ matrix.target }}
path: ${{ env.archive_name }}-${{ matrix.target }}.tgz
if-no-files-found: error
release:
needs: [build-artifacts, prepare-release]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.7
with:
ref: ${{ needs.prepare-release.outputs.sha }}
- uses: actions/download-artifact@v4.1.8
with:
path: artifacts
merge-multiple: true
- run: |
cd artifacts
ls
cd ..
- name: Install the latest Knope
uses: knope-dev/action@v2.1.0
with:
version: 0.11.0
- run: knope release --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update Installer version
run: |
VERSION=$(knope get-version)
sed -i "s/PACKAGE_VERSION=\"v[0-9]*\.[0-9]*\.[0-9]*\"/PACKAGE_VERSION=\"v$VERSION\"/" installers/nix/install.sh
git config --global user.name GitHub Actions
git config user.email github-actions@github.com
git add .
git commit -m "Update installer version to v$VERSION"
git push